Approaches to detecting malware have changed along with the approaches to creating malware. Early efforts focused on identifying each new virus as it proliferated from computer to computer via floppy disk. With the growth of the Internet and World Wide Web came new mechanisms for malware to be transmitted and new vulnerabilities for malware developers to exploit, and anti-malware system developers responded with new techniques for detecting and eradicating malware infections.
One recent trend in malware detection is the use of reputation. Highly prevalent files, such as executable program files for common software applications, may be identified as “known safe” by anti-malware systems, partly because of their prevalence, but also because their provenance has been established and they have been thoroughly tested. Less prevalent files present a greater challenge. A new, previously-unencountered file appearing on a computer hard drive may be a piece of custom software a user has created for their own use or a new instantiation of polymorphic malware. It may also be part of a targeted attack—a program custom designed to take advantage of resources and vulnerabilities within an organization to steal valuable data, compromise security systems, or commit sabotage.
One factor that may be considered when evaluating less-prevalent files is the reputation of the computing device on which they are found. A computer may acquire a bad reputation through frequent malware infection because, for example, it is missing an operating system patch that closes a security hole, or because the user habitually visits websites that spread malware. Computer reputation, however, may be an imprecise factor in determining the safety of a file on the computer. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for establishing reputations of files.